Burma
Virus.DOS.Burma is a dangerous file overwriting virus on DOS, it is written by a Bulgarian virus writer Dark Avenger. There are 10 variants in 3 versions, represented by the following: *Virus.DOS.Burma.409 *Virus.DOS.Burma.442 *Virus.DOS.Burma.563 Behavior The virus first activates by displaying a video effect, then it overwrites the first executable in both DOS and EXE formats from specified directories excluding COMMAND.COM, after that it changes the current directory to specified place and then return to the DOS prompt. This virus performs replacement overwriting, by copying itself with the target filename in order to replace it, so that it is not possible to recover the infected files. Additionally, the timestamp of the infected files would be changed to the time of infection. The virus always points to the first file in both formats in a directory, no matter they have been infected or not, running the virus would always overwrite the same file instead of searching for the first uninfected file. However, it cannot infect files having the Read-only attribute, if this attribute has been set in the first executable file, the virus might not be able to spread. Burma.409 This is the most dangerous variant and it is slightly different from the others. It performs file head overwriting and infects every executable file, plus SYS, ZIP, DAT and OVL files in current directory and all parent directories, including the root directory. The timestamp of the infected files will not be changed. The virus also infects read-only files, but it does not infect files that are smaller than itself. The infection area can be illustrated by the following example tree: C:(root) |-DIR1 | |-SUB1-1 | |-SUB1-2 |-DIR2 | |-SUB2-1 | |-SUB2-2 | |-SUB2-3 |-DOS Assume the virus is located in directory SUB1-2, running this infected file would infect files in this directory, DIR1 and root. While the files in SUB1-1, the directory which next to the location of the virus and also a subdirectory of DIR1, and all other directories remain uninfected. Burma.442, 442.c, 442.d, 442.e, 442.i These variants overwrite files from current directory and C:\DOS, after that they move the current position to C:\DOS. Burma.442.b This variant overwrite files from current directory and the root directory, after that it moves the current position to root. Burma.563 and 666 These variants overwrite files from the root directory and C:\DOS, i.e. files from other directories are not infected, after that they move the current position to C:\DOS. For Burma.666, if an infected file already existed in root directory, running the virus would hang the system on attempting to replace the file, thus to empty the content from that file. Burma.756 This variant overwrites files from current directory, i.e. files in C:\DOS might not be affected, after that it moves the current position to A:, the system would try to read the floppy drive. If there is no disk inserted into the floppy drive, the system would prompt whether to try again, abort or stop, if the user chooses abort, the virus infects nothing. However, if there is a disk in the drive, the virus would hang the system on attempting the file replacement, which would empty the content from the files which to be infected. After a failing access to A:, the virus returns to the same directory instead of C:\DOS. Advanced details This virus does not stay memory resident after termination. MD5 hashes: Payload Flushing the characters on screen like a toilet is the payload of these variants, followed by displaying message, while Burma.409, 442.c and 442.d do not feature this. Burma.409 This variant does not manifest itself, but since the kernel system files (especially IO.SYS and MSDOS.SYS) have been overwritten, the system would not be able to start anymore so that the user must reinstall the system. Burma.442, 442.b, 442.e After the payload these variants display the following text: - α Burma.442.c and 442.d These variants do not have the video effect and no text would be displayed, but an extra empty line. Burma.442.i This variant flushes the characters without displaying any text afterwards. Burma.563, 666 and 756 After the payload they display the following text: Reading system configuration, please wait. S_w_i_z_z_l_e_S_t_y_x_x_! The underscores represent the ASCII character 01h. Burma.756 also features a sound effect. Variants This family has 10 variants in total: *Virus.DOS.Burma.409 *Virus.DOS.Burma.442 (plus B, C, D, E and I) *Virus.DOS.Burma.563 *Virus.DOS.Burma.666 *Virus.DOS.Burma.756 Other details The sizes of the original sample of Burma.442.c and 442.d are only around 230 bytes, but files overwritten by them still have the size of 442 bytes, while the code of the characters flushing payload are completely empty. Burma.409 contains the internal text string: *.COM *.EXE *.ZIP *.DAT *.SYS *.OVL Tempest - α Of LuxemburgVaginal Discharge Burma.442, 442.b and 442.e contain the internal text string: *.?x? *.?o? \DOS - α Rangoon, Burma Burma.442.c, 442.d and 442.i contain the internal text string: *.?x? *.?o? \DOS Burma.563, 666 and 756 contain the internal text string (the underscores as the ASCII character 01h): *.?x? *.?o? \DOS D_a_r_k_A_v_e_n_g_e_r References #List of variants of the Burma virus on VX Heaven Media zh:Burma Category:DOS virus Category:Virus Category:DOS